add IPv6 randomization and misc spoofing protections

1 files changed, 15 insertions, 0 deletions

diff --git a/config/includes.chroot/etc/sysctl.conf b/config/includes.chroot/etc/sysctl.conf
index 916e972..b8460d0 100644
--- a/config/includes.chroot/etc/sysctl.conf
+++ b/config/includes.chroot/etc/sysctl.conf
@@ -3,3 +3,18 @@ vm.laptop_mode=5
 vm.swappiness=0
 vm.dirty_writeback_centisecs=1500
 vm.dirty_expire_centisecs=1500
+
+# Use randomized addresses for IPv6
+net.ipv6.conf.all.use_tempaddr=2
+net.ipv6.conf.default.use_tempaddr=2
+
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+net.ipv4.conf.all.secure_redirects = 1
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+